CISOs Must Assert Themselves Within Corporate Hierarchy

If you are like most CISOs, you may be struggling to assert yourself within your organization’s leadership structure (even if you’re not aware of it). While organizations recognize the need for cybersecurity expertise, a new ThreatTrack survey suggests they haven’t fully developed an appreciation for it.

ThreatTrack’s Role of the CISO study revealed a significant level of ambivalence regarding the position, with many C-level executives still viewing the role as a convenient scapegoat for security breaches. Almost half of C-level executives (47%) regard the CISO’s role primarily as someone who “should be held accountable for any organizational data breaches,” according to survey results. That’s even higher than the 44% of respondents who gave that answer in the same survey in 2014.

Much skepticism remains about the CISO’s leadership abilities and understanding of the business outside IT security. While 61.5% of respondents said they believe their CISO could successfully take a non-security leadership role, only 27% agreed “CISOs typically possess broad awareness of organizational objectives and business needs outside of information security.”

This contradiction clearly shows C-level executives haven’t quite made up their minds about their CISO’s leadership skills. Aside from being a scapegoat, the CISO pretty much is viewed as an advisor with limited or no authority. About half of respondents (51%) said CISOs “provide valuable guidance to senior leadership related to cybersecurity,” while a mere 25% said “CISOs contribute greatly to improving our day-to-day information security practices.”

In an encouraging sign, the study revealed CISOs are welcome on boards of directors, with 79% percent of participants saying their board of directors already has, or should include, at least one member with expertise in cybersecurity.

The view that CISOs make good directors conforms with the idea they make better advisors than decision makers. But while providing advice is crucial, the CISO needs to be viewed as a full-fledged member of the leadership team. It won’t happen magically, so CISOs must assert themselves through action and communication.

Survey results indicate CISOs are not effectively communicating their decisions and accomplishments. For instance, 19.5% of participants said their CISO has yet to make a cybersecurity decision when asked if “any cybersecurity decisions made by your CISO negatively impacted your organization’s bottom line (lost business, decreased productivity, impaired service levels, etc.).” This could mean CISOs are so new that they haven’t made a decision yet or that they are being hamstrung, but it’s more likely they are communicating poorly.

Compared to the same survey last year, CISOs made progress in some areas but lost ground in others. That means you have some work to do to gain respect and appreciation. And that starts by communicating clearly how your work helps protect the company.